We want to prevent the primary of sBFT (but really any replica in any BFT atomic broadcast) to censor requests (i.e., drop individual requests).
Proposal: Per discussion with vukolic, this could be addressed by a generic component (not be part of sbft core, nor specific to sbft), which keeps track of new requests ("fresh"), in-flight requests ("pending", only at primary), and recently completed requests. Timestamped entries are serviced infrequently (several second scale), and fresh requests will be brought to the attention of the remaining network, including the primary. When a second, longer, timeout expires, the component signals to the atomic broadcast implementation that the leader should be changed.
Every time the atomic broadcast implementation observes a change in leader, this is communicated to the component and timeouts are adjusted to give the new leader time to act.
The leader also uses the registry of fresh requests to assemble a new batch.
This sounds deceivingly simple and probably will turn out to be more complicated than expected.